Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

Passwords are Broken. WebAuthn is the New Standard for Authentication

Written by Kathy Zant on September 22, 2022

Last Updated on September 22, 2022

Recently, iThemes Security Pro added passkeys as a primary authentication method for WordPress sites. This groundbreaking release is the first of its kind in the WordPress space, and it’s something you should know about. Once again, iThemes Security has shown leadership in providing exceptional security functionality to WordPress users.

In this post, we’ll review the password problem, what WebAuthn is, and why you’ll begin to use this technology everywhere. If you’re a WordPress site owner looking to improve login and security functionality for your end users, you now have the cutting edge standard for friction-free logins available to you.

Understanding the password problem that WebAuthn solves

Our online lives, including the user accounts used by WordPress, have been based on username and password access. This was fine for a while. But then reused passwords, dictionary brute force attacks, and the sharing of breached account data by malicious actors have made our system of password-based security ineffective.

In fact, Verizon’s DBIR Report for 2022 reports that over 80% of breaches can be attributed to stolen credentials, and there has been a 30% increase in stolen credentials as a primary intrusion vector versus vulnerability exploitation.

Credentials refers to the username/password combination. And Verizon’s data tells us one thing: passwords are broken. The addition of two-factor authentication (2FA) has been helpful, but unfortunately, the friction and complexity it adds has meant that it has only been adopted by 28% of users. We get it; 2FA adds another layer of friction for attackers, but it also makes logging in harder for users as well. And in the case of SMS-based 2FA, it just isn’t secure enough. Stories of SIM port attacks for high-value targets are not common, but they are catastrophic when they occur.

The FIDO (Fast Identity Online) Alliance has been working towards fixing these problems, and WebAuthn is the specification that has come out of that work.

At this stage of our digital lives, passwords are broken. Thankfully there is a new and better way for authentication, and that is WebAuthn.

What is WebAuthn?

WebAuthn is short for the Web Authentication API. This is a specification written by the W3C and FIDO, with the participation of Apple, Google, Mozilla, Microsoft, Yubico, and others. The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password. Since January 2019, WebAuthn is supported on Chrome, Firefox, Microsoft Edge, and Safari. At the time of this writing, WebAuthn is supported by well over 90% of devices and their browsers.

WebAuthn is part of the FIDO2 framework, which is a set of technologies that enable passwordless authentication between servers, browsers, and authenticators. WebAuthn was standardized by the World Wide Web Consortium.

Now that so many of our devices use biometric authentication, such as FaceID on your iPhone, or fingerprint recognition on your MacBook, Windows Hello, and many others, we have a new method of determining whether or not a login attempt is actually the valid user and not a brute force attack.

How does WebAuthn work?

WebAuthn uses public key cryptography to secure connections between users and the systems they use. Using WebAuthn, you’re able to use a single authentication method, such as the biometrics on your devices or a YubiKey, on any site that supports the standard. This way, as a user, you don’t need to have passwords for every site you visit, just a strong authenticator that works with WebAuthn.

Using this strong authentication instead of a password, we can create a private-public keypair for a website. The private key is stored securely on your device (for example, your phone or computer), and the public key and randomly generated credential is sent to the web server for storage. The webserver and in the case of iThemes Security Passkeys, your WordPress site, can use the public key to verify the user’s identity.

How WebAuthn Works

This public key is not a secret. As such, if the web server or WordPress site is ever hacked, the credentials stored with the public key are useless to an attacker. The public key simply cannot be used without the private key.

To understand how WebAuthn actually works, the FIDO2 Project has some great resources.

WebAuthn changes the security landscape

WebAuthn really is groundbreaking in the world of security. Databases are no longer as attractive to hackers, because the public keys aren’t useful to them. As well, WebAuthn makes credential theft more difficult.

And for end users, WebAuthn eliminates the need to remember multiple usernames and passwords. All a user on a MacBook, for example, needs is their fingerprint to log into their site enabled with iThemes Security Passkeys.

Apple, who has implemented WebAuthn also notes that WebAuthn protects against phishing attacks. A phishing attack that emails users with links to fake login screens would not be effective without passwords. A user using passkeys for account login would not even have a password to provide to a malicious phishing form. The authentication is completely handled by the private key stored on their device communicating with the public key stored on the web server. WebAuthn effectively renders both random phishing attacks as well as targeted spearphishing attacks completely ineffective.

The security game has changed with WebAuthn. While it may take some time for brute force attacks and password theft to become less attractive to malicious attackers, proactive site owners who choose to implement WebAuthn will be leaders in ensuring that their sites are no longer a part of the game.

Frictionless logins make for happier customers

These site owners are also providing an additional valuable feature for their users, customers, students, or whoever is logging into their WordPress sites. Instead of requiring friction-filled multi-factor authentication protocols to ensure that the WordPress site stays secure, WebAuthn implemented by iThemes Security allows site owners to provide a friction-free passwordless login while making their site much less attractive to hackers.

More implementations of WebAuthn are coming

You might look at how life-changing this technology is and wonder why more sites, services and apps are not using WebAuthn. While this technology is groundbreaking, it is also very new. Adding WebAuthn to legacy services will require some refactoring. But as we’ve seen with many new technologies that change the landscape, it is coming. The need to move beyond passwords is a definite driver. And, as more users experience frictionless login capabilities, we’ll begin to see user requests to have passwordless logins expanded.

In this way, iThemes Security has cemented itself as the leader in WordPress security, changing the face of how WordPress users login. iThemes Security Passkeys is the first implementation of WebAuthn in the WordPress space, and it will certainly be the standard going forward.

To get iThemes Security Passkeys for your WordPress site now, you’ll need iThemes Security Pro. Luckily, you can currently get this at a discounted price. You won’t see these low prices for long, however. The sale ends September 30, 2022.

Get iThemes Security Passkeys for Your Site
Kathy Zant

Kathy is a Product Marketing Manager for Kadence at StellarWP and has been working with WordPress for over a decade. She has both technical and marketing experience and has worked with a number of brands in the WordPress space. She has helped numerous organizations empower their businesses with WordPress. She’s helped organize both WordCamp Phoenix and WCUS. She currently lives outside of Denton, TX where she can often be found walking golden retrievers or hanging out in horse barns.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – March 22, 2023
website-backdoor
What is a Website Backdoor? How to Remove and Prevent the Hack
A security-riddled computer monitor. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – March 15, 2023
ip hack
What is an IP Hack?

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap